How to Proxy Postman via ZAP + Manual API Exploring
In this blog post, we show you how to proxy Postman via ZAP and do manual API exploring.
Prerequisites:
- If you have not read how to import OpenAPI/Swagger API specifications into ZAP, please read https://augment1security.com/api-scanning/how-to-import-openapi-swagger-api-specification-into-zap/
- ZAP 2.9.0
- Postman or any API exploring tool
Getting Proxy Information
Go to Options dialog box in ZAP by clicking on the Options button on the toolbar
Go to Local Proxies section and take note of the details in the red box shown below.
Setting Up Postman to Proxy Via Zap
Launch up Postman and go to Settings.
Go to the Proxy tab and fill in the details of Local Proxies tab from above
Now, create a new GET request in postman like below and send the request. Take note that we are specifying the target url of the petstore server. What actually happens is that the GET request will be routed to ZAP before hitting the petstore server.
This is evident when you go to the Site Tree of ZAP and see your request that you have sent through appearing.
You can now manually explore the petstore api using postman and it will get picked up by ZAP.